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g&odofclmBiJ^ ^ die network events include mOmioring n ' fctWo^ 
connections by monitoring a correlation of network connection requests and network cojulection 
denials. 

37. The method of claim 28 wherein the network events include mojifioring errors by 
monitoring error codes included in a network packet. 

38. The method of claim 28 wherein the network events inefude monitoring errors by 
monitoring network packet privilege codes. 

39. The method of claim 28 wherein the integratip^comprises: 
filtering network events; and 
summarizing network events. 

40. The method of claim 28 wherein tji& correlating comprises: 
filtering the integratejTne^or^vents; and 
summarizing the neti\V)rJi-^^nts. 

4 1 . The method of claim z^/iwrth^ compnsmg: 
distributing the corr^J^teV n^fwork events via a link to subscribers. 

42. The method of clai4n>H^\^erein the link is a secured link. 

43. The method of leQaim 41 wherein the distributing comprises sending the correlated 
network events via electronic mail. 

44. The metho/1 of claim 41 wherein the subscribers are the service monitors 
The metKod of claim 41 wherein the subscribers are the domain monitors. 



45. 
46. 




The method of claim 44 fiirther comprising: 

filt9^ng the received correlated network events in the service monitors; and 
arizing the received filtered correlated network events in the service 



The method of claim 44 fiirther comprising: 

filtering the received correlated network events in the domain monitors; and 
summarizing the received filtered correlated network events monitors. 
A method of hierarchical event monitoring and analysis within an enterprise 
/ork comprising: 

deployiRg4iieiaicln ea LnetwQifc 4 nuiiitmb in t he ontorprioo not 
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■detn^tjftgr^LthaJakr aiL^^ liC J lw oik jiiuiA i tois ^ ^ juup i o i oiis ui'Wuik acl i v i t y 
on analysis of network traffic; / 
generating, by the hierarchical network monitors, reports of the suspiciou^^ 

activity; and 

automatically receiving and integrating the reports of suspicious aeiiivity, by one 
or more hierarchical network monitors. X 

49. The method of claim 48 wherein the hierarchical networl^mionitors are located in 
domains of the enterprise network. 

50. The method of claim 48 wherein the analysis of network traffic comprises 
monitoring data transfer errors. 

5 1 . The method of claim 48 wherein the anal^is of network traffic comprises 
monitoring data transfer volume. ' x 

52. The method of claim 48 wraerem^e analysis of network traffic comprises 
monitoring network connection requests, y^\^ 

53. The method of claim 48/^h|rcir/the analysis of network traffic comprises 
monitoring network connection denrals. vl/ 

54. The method of clmm 48 wherein the analysis of network traffic comprises 
monitoring a correlation of network connection requests and network connection denials. 

55. The method of claim 48 wherein the analysis of network traffic comprises 
monitoring rejected p£pcet error codes. 

56. The method of claim 48 wherein the analysis of network traffic comprises 
monitoring privilege error codes. 

57. Trie method of claim 48 wherein generating reports comprises: 
/ filtering the suspicious network activity; and 

/ summarizing the filtered suspicious network activity. 
58; The method of claim 49 wherein receiving and integrating the reports of 
suspicimis activity is performed in domain network monitors associated with sets of network 
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-60! — — ¥heT nothod ofxlaim 58 whci c 4i i iii tc gia thig tlAC " i cpoils is perfbTined in^ 
domain monitors. 

61 . The method of claim 59 wherein integrating the reportsis^rformed in the 
enterprise network monitor. 

62. The method of claim 61 wnergm tne mtegp^mg compnses: 



63. 



64. 



correlating the suspicious 
The method of claim 62 fu: 
invoking countermeasurj 
The method of clai: 




65. 
66. 
67. 



ivity based on commonalities, 
mprising: 

itegrated reports of suspicious network activity 
in the network monitors include an application 
program interface (API) for ejwJapsulation of monitor functions and integration of third party 
tools. 

The nj^hod of claim 48 wherein the enterprise network is a TCP/IP network. 

method of claim 48 wherein the network monitors are deployed in gateways. 
The method of claim 48 wherein the network monitors are deployed in routers. 
The method of claim 48 wherein the network monitors are deployed in proxy 

In the Abstract : 

On page 37, delete lines 1-8 and insert: 

□ ;J A method of hierarchical event niopit6nng and analysis within an enterprise 

network including deploying hiemi^hicalpetwork monitors in the enterprise network, detecting, 
^ by the hierarchical network rnonV^^g^ suspicious network activity based on analysis of network 
traffic, generating, by the hier^r^h^al network monitors, reports of the suspicious activity and 
automatically receiving ^^integrating the reports of suspicious activity, by one or more 

F 



hierarchical networ] 
^ 



lomtorsl-^ 




REMARKS 

AppHcants submit this preliminary amendment in the filing of a 37 C.F.R. 1.53(b) 
continuation. 



